From now on, the /end_session endpoint of the OAuth2 service verifies the post-logout redirect URIs. URIs have to be pre-registered for the client which you use to call the endpoint.

When you call the /end_session endpoint, the OAuth2 service expects to receive a post-logout redirect URI in the query string.
If you register only one redirect URI for the client, the OAuth2 service, by default, uses it as the post-logout redirect URI.
However, if you register multiple redirect URIs for your client, you must include the post_logout_redirect_uri parameter in the query string to avoid a 400 error response.
Additionally, you must pass the query parameter if the client has no registered redirect URIs. If you do not, the OAuth2 service stops the flow and returns a 400 error.
Furthermore, if you pass an unregistered URI in the query string, the OAuth2 stops the flow and returns a 400 error.

It is recommended that you pass the post_logout_redirect_uri parameter in all of your requests. This helps to prevent any situation where your code stops functioning because you registered an additional redirect URI for your client.

Find out more:

  • For more information about the /end_session endpoint, see the OAuth2 service's API reference
  • For more information about the post-logout redirect URIs, see the related release notes.

  • Send feedback

    If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.

  • Get Help

    Use our private help channel. Receive updates over email and contact our specialists directly.

  • hybris Experts

    If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.